ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution
Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware). In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit by that one).
Today I saw a malvertizement that did not expose victims to fake security software, or unwanted pornography. Instead, it exposed victims to a web site that tried, via various security exploits, to infect computers.
If a victim is exposed to the dangerous content via the malvertizing discovered today, a malicious PDF is downloaded, which takes advantage of two exploits affecting Adobe Acrobat and Adobe Reader (CVE-2008-2992 and CVE-2009-0927). These vulnerabilities are used to try to download even more malicious software via a web page.
Anyway, here is how it happened.
ad.yieldmanager.com loaded content in an iframe from served.antventure.com.
served.antventure.com in turn pulled content, again in an iframe, from ad.antventure.com. The ad.antventure.com content was a slew of script that brought us back to ad.yieldmanager.com.
Then there was some back and forth between ad.yieldmanager.com and ad.adventure.com in iframes until, eventually, ad.antventure.com content loaded, you guessed it, ad.yieldmanager.com content.
From here on in it gets really interesting.
ad.yieldmanager.com loaded content from banner.yellowlinebanner.com.
The banner.yellowlinebanner.com content is a 728x90 banner advertisement featuring expedia.com.au. The HREF for the banner advertisement is an expedia.com.au URL but the graphic for the advertisement (a GIF) is pulled from creatives.redhousebanner.com.
The URL hosting the gif from creatives.redhousebanner.com contains an iframe that loads content from t.banner0709.com.
t.banner0709.com is where things get real nasty. The t.banner0709.com URL is redirected to knocklis.com (HTTP response code 302 - “temporary” move), and it is the knocklis.com web page that exposes the victim to the malicious PDF via an iframe in a PHP page.
The knocklis.com page also tries (and fails) to load a graphic (test.gif) and (unsuccessfully) to load other content from the knocklis.com domain, as well as content from xn--18ba.example.com (this, too, fails).
You will have to forgive my obscuring the URLs – the content is simply too dangerous for curiosity. The exploits being utilized by the malicious PDF is known as “win32/pdfjsc.av”:
As a final note, if we visit the creatives.redhouse.com URL directly, the iframe does not appear. Also, antventure.com has been problematic in the past:
The redhousebanner.com GIF
The banner.yellowlinebanner.com content with the iframe content: